Slashdot Mirror
Apple Patents Power Adapter That Recovers Lost Passwords
Sparrowvsrevolution writes "Apple has patented a power charger that also serves as a password recovery backup. If a user forgets his Macbook's password, for instance, he simply plugs in the cord, and it would provide a unique ID number stored in a memory chip in the adapter that acts as a decryption key, unscrambling an encrypted copy of the password stored on the machine. The technique, according to the patent, incentivizes better password use by avoiding traditional password recovery techniques that annoy users and lead to disabled or easily-guessed passwords. The new technique is only secure, the patent admits, in cases where the user leaves a mobile device's charger at home. So the idea may make the most sense for long-battery-life devices like iPods, iPads and iPhones rather than laptops, at least until laptop batteries last long enough that users don't take their power adapters with them and expose them to theft."
Well that's a reasonably stupid idea. Store the password with something many users are going to carry around with their laptop...
And even if you didn't.. you forget your password on the road, then what? And this is less annoying than having to answer a previously entered question?
Kills the 3rd party accessory market. Because you won't be able to get "crypto" power blocks from anyone else. Wanna bet?
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
Than a normal USB security token? It seems like a power adapter is likely to be taken with the user. A smaller token could be carried on the person of the user. Or you can just write your password on a post-it in your wallet.
The Daddy casts sleep on the Baby. The Baby resists!
Why not have it on a microSD card?
Password use *one way* hashing systems for a reason.
Thank you Apple, for once again eliminating desktop security.
Given the number of people I see charging up their smartphones in the office, I'd say the Apple patent people haven't quite grasped that smartphone battery life is a long way from what many people would like.
(Also, given that most non-computer devices like iPhones charge over USB, this seems distinctly less impressive. 'Put some data on some flash memory inside the battery charger' and transmit it over the USB connection hardly requires the kind of ingenuity that sending passwords up a DC power cable to a laptop does.)
Cupertino has started dosing again.
I object to power without constructive purpose. --Spock
OK, it's a daft idea for various security related reasons -- but that's fine. People patent daft ideas all the time; doesn't mean they plan to implement them.
What I don't get is, why bring power adapters into it? Why not patent a more general case, then if someone builds it into a power adapter, the patent covers it. If someone builds it into (say) an MP3 player, the patent covers that too.
Security is only as strong as it's weakest password recovery method.
This whole idea completely forgets that the whole purpose of your password might be to stop you little-brother/offspring/tech-illiterate-housemate (ie: anyone who lives with you) from screwing up your device.
As if they need a technical restriction, when they're so heavy handed with the legislative restrictions.
I'd never buy, for example a phone, that didn't have a micro USB charger, or a stereo that had a wacky propitiatory interface like an "ipod dock".
It shouldn't be legal to block or tax 3rd party accessory makers, and what's needed is more forced standards for consumer screwing companies like Apple.
... a paper clip which is capable of encrypting eBooks.
I suppose its better than going to the Apple store, shuffling your feet and mumbling sheepishly you somehow forgot your password, but what if I have a power adaptor and swiped your phone, can I now hack it?
A feeling of having made the same mistake before: Deja Foobar
The whole point, i suspect, is that people forget flash drives. Or have several and don't know which one they stored their password on.
OTOH, they tend to only have one and only one charger, and that's significantly harder to lose.
Non impediti ratione cogitationus.
Seriously?
Boot while holding down Apple-S /var/db/.AppleSetupDone
mount -uw /
rm
shutdown -h now
Bam. Administrator access and all the password resetting glory you need thereafter.
I don't even have a Mac and I know how to do it. How fucking easy does it need to be?
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
From TFA: "So the idea may make the most sense for long-battery-life devices like...iPhones"
In what universe is an iPhone a "long-battery-life" device?
It seems to me this was done, not for security, but for business reasons. Now Apple can use the DMCA to keep other companies from making a power adapters for Apple products.
You've never worked in my office then..
day in day out users "forget" their chargers. What happens infact is they leave it at home because they are a lazy slob and don't want to carry it / lean over and unplug it. I know this, because I offered some users a spare charger and then they explained how much better it is now they don't need to carry / lean over.
- http://www.milkme.co.uk
Hmm I can see this being pretty popular if there's an easy way to grab the password. Otherwise you've got the power adapter but no laptop that will be unlocked with it.
I wonder if Apple will also stop chargers from charging any laptop that doesn't have the same password hash?
All the world's a CPU, and all the men and women merely AI agents
On the flip side, if someone wants to steal their stuff, it's a lot harder to know which flash drive has the password. It's fairly easy to recognize the charging cable.
All the world's a CPU, and all the men and women merely AI agents
And even then, it's only secure if nobody breaks into your home. And you'll need a separate power adapter for use outside home. Under these conditions, you can ditch the home power adapter and replace it with a piece of paper with the password written on it.
On the other hand, you can put that flash drive in the safe and not have to pull it out every day... Only when you forget your password.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
This is just a rather ridiculous convenience/security tradeoff for now, but it will be interesting once the enhanced power adapter becomes required.
Think of the possibilities. Every device and accessory, even every component of the computer, could have cryptographic protection built right into the hardware in a way that cannot be reverse-engineered. A secure computer can only contain secure hardware (and vice versa), only approved devices can be connected to an approved computer, only an approved computer can run an approved operating system, and only an approved operating system can establish an internet connection. It will be a glorious future.
apple patents something as soon as the work is done. they don't wait for it to become usable in a device.
From what I can tell (from TFS) the adapter only has a number that acts as a decryption key. You wouldn't be able to get the actual password from just the adapter itself. Though it may be possible to figure out the password based on just the decryption key. I'm not very well versed in cryptography, so if someone who is wants to correct me on this, feel free.
All the world's a CPU, and all the men and women merely AI agents
All hashes are one way because data is thrown away. You can't even reverse simple checksums like CRC32.
This system doesn't store a plaintext password. It's like a secondary authentication system. Think SSH: You can authenticate using a password OR public key cryptography.
Except when you and your machine are in Ogdenville and your safe with your pen drive is in North Haverbrook.
Non impediti ratione cogitationus.
Put another chip in the wall outlet, that will communicate with a charger device using BPL, Data over Powerline, short range communications, RFID, or bluetooth; e.g. a "Password recovery" agent installed in a device somewhere else in the home plugged into another wall outlet, or built in to the outlet itself. wireless AP, linksys box, NAS, TVs, other home appliances would be good candidates to form a BPL-enabled self-organizing P2P network for facilitation of password recovery and theft prevention.
Some of the devices could incorporate a GPS location reading. If the device's location has changed significantly, then it is less familiar.
When the user logs into their computer, and authenticates, there will be a program they run on their computer to cause the power unit to "learn" which will scan the BPL or bluetooth for other devices.
Require the presence of other "familiar" home devices, for the password recovery procedure to be initiated.
This could also help if the charger got damaged or lost... just plug a new one in, enter the "House PIN #", and have it build the same shared secret key based on the identities of the familiar devices surrounding it that have an agreed upon shared key.
Also, high theft-risk non-mobile devices could enter an auto-lockdown mode, if powered on and no "familiar devices" are around.
Makes you wonder what Apple is doing now...without your consent or knowledge.
All it took is sticking a PostIt note on the side. Can I now patent moving the sticky to the inside of my closet, where it will be more secure from friends and allow me to take the charger for travel?
The more junk they cram in the power adapters, the harder it is for 3-rd party companies to make copies without Apple's consent.
It was worthless before and it's still worthless now. I'm not even upset that they patented this trivial and non-novel idea.
"When information is power, privacy is freedom" - Jah-Wren Ryel
From what I can tell (from TFS) the adapter only has a number that acts as a decryption key. You wouldn't be able to get the actual password from just the adapter itself. Though it may be possible to figure out the password based on just the decryption key. I'm not very well versed in cryptography, so if someone who is wants to correct me on this, feel free.
Either accomplished by it being the Original Power Adator or something you twiddle with software, presumably when the i(insert Apple product here) is connected to the Power Adator and already unlocked. Sucks to be you, if you are like me and keep multiple Power Adators at various locations, rather than lugging the thing around with my like some kind of Cupertino-required parasite.
A feeling of having made the same mistake before: Deja Foobar
I keep hearing this about patents.
If it's trivial and non novel then why is no one doing it or previously put a patent on it?
It's not trivial or non-novel. it's just not being done.
Non impediti ratione cogitationus.
Though it may be possible to figure out the password based on just the decryption key.
It's not, at least not using any common cryptographic algorithm. Keys are supposed to be randomly generated.
Dilbert RSS feed
It's not going to stay "power adapter with password," that's just the simplest and most abstract (read: absent real hints of product plans) example they came up with for the purposes of the patent.
I predict that eventually the communications will go elsewhere, for a push-button support system like OnStar for AppleCare. Subscription fees FTW!
When I was a kid, we only had one Darth.
If it's trivial and non novel then why is no one doing it or previously put a patent on it?
Well apart from the fact that this particular idea is stupid (thus, nobody doing it), sometimes things just luckily don't get patented, like "fuel cells on a computer" and "fuel cells on a cell phone" which were both shockingly not patented up until this year. Somehow even among swarms of lawyers, a few conceivable ideas go unpatented sometimes. Shocking, I know.
This idea is both trivial (passing data to a power adapter which attaches to a port that can also pass data? Wow not like half the USB-charged devices on the planet do that!) and non-novel (acts as a security key like the metric shit-tons of USB fobs that have been on the market over the last decade).
"When information is power, privacy is freedom" - Jah-Wren Ryel
Sucks to be you, if you are like me and keep multiple Power Adators at various locations, rather than lugging the thing around with my like some kind of Cupertino-required parasite.
Yeah I do this with my phone. Also, what the hell is an adator? Even if you remembered the "p", it's not spelled "adaptor".
All the world's a CPU, and all the men and women merely AI agents
You miss the point of the patent. It's to prevent other people from doing something which reads on their invention. Not necessarily to implement it themselves.
That said, Apple will probably use this, but I doubt they will turn this into their default and only password recovery method. More likely, it will be an (expensive) optional add-on. This is direct in-house competition to all the crazy ways third parties offer to keep passwords secure for the Windows environment.
You have taken a patent and assumed how it will be implemented, and attacked that. Pretty much your basic strawman argument.
"Sir, we need your password" becomes "Sir, we are confiscating your laptop charger."
Brilliant idea. Not.
wrong. at least this time ;)
lots of good reasons for apple to do this. they want you to continue to use apple hardware and they have a lock-in effect going on. other than that mag-lock stuff, a power brick was a power brick. batteries are starting to be chipped/locked, but so far, I've not seen power sources be locked.
I bet we'll see that soon, though.
also, apple did this because they could, not because its a strikingly good idea for the world. you *can* send data comms along a power path and double-up on it. you *can*. but is there a good reason to? there sure is value in keeping power sources somewhat dumb. they push power (current) at you at a fixed voltage or voltage set. no need to crypto-up that path!
I bet there is also a patent defense plan here. anyone who wants to 'talk' along that path will probably get hit with an apple patent threat-suit, legit or not.
it does seem like a dumb idea, overall; but apple is getting a few things from this. its not about users. heh - lately, nothing is ever about the users (benefit).
--
"It is now safe to switch off your computer."
Right, so again - why has no one done it before?
It's actually quite a good idea. If you forget your password you're not screwed, since you can unlock your device when you get home.
You'll notice they didn't patent the "metric shit-tons of USB fobs", but a different way to authenticate a device.
Whether it's different enough from a separate USB dongle that can unlock the computer is something the patent office should deal with.
It's actually quite a good idea. If you forget your password you're not screwed, since you can unlock your device when you get home.
It's a good idea if you want joke security, and the passphrase screen most phones have is poor enough. I hope they won't allow this authentication method to bypass any full-disk encryption. It will be common knowledge among thieves and black hats that you can unlock an iShiny using the included power adapter that's usually plugged into the device when it's laying around. What could possibly go wrong?
"When information is power, privacy is freedom" - Jah-Wren Ryel
Yes, that's exactly what it means. There can be no question at all.
Also, the sky is falling and you forgot to log in.
You can forget many passwords. But who would forget the password for the device he uses every day?
So, if someone robs my home they can get all the supposedly secure information stored in my machine if they also take the charger? And this passes as secure? As you kidding me?
If they want an external piece of hardware to unlock my computer, just make it use the IR or Bluetooth and be small - so I can keep it on my person. Other than that, it'll be pretty much useless.
This is not a patent, this is an application publication. You can tell because it says "pub no" in the upper right corner instead of "patent no". For reference:
Link to publication from TFA
Link to a real patent (believe it or not)
TFA author can't tell the difference, which is incredibly obvious once you know what you're looking for. And a lot of applications never become a patent.
Now that the application has published, anyone who knows of any prior art might be able to let the patent office know about it if this application isn't examined before the new law kicks in September 16 this year. See the America Invents Act, section 8 (starts bottom of page 32).
This post expresses my opinion, not that of my employer. And yes, IAAL.
Ahh good, so if I'm traveling and take my laptop (a nice 17" MBP), I have to take a different power cable, because if I don't, someone can just use my power cord to get into my accounts. Since the only time I use my laptop is when I'm traveling, that effectively makes the power cord that came with it useless, and I get to pony up another $80 for proprietary Apple power cord.
The only way this wouldn't be a negative feature for me would be if it were entirely optional. Otherwise it makes my purchase *worse*.
Put it on a $2 USB dongle that I never have any reason to take *anywhere*. That actually makes sense.
--Jeremy
Jesus was a liberal
Take a look at the silly ol' PDF. You'd think the Forbes guy would have too. This stores a "password secret". I.e. a password hint, not necessarily a password. This is a good idea I think as it grounds the device to you. Instead of giving that hint to anyone, the hint is further protected by the power charger requirement.
This doesn't push out a password, it further protects a password hint. This improves security. It doesn't open a new vector for attack that doesn't already exist.
Also, as with most things, turn it off if you don't want it.
Brilliant! Now the person, who breaks into my apartment and steals my Macbook, no longer has to guess my password. He just takes the charger, and thus all my personal data with himself. What a shitty idea from Apple!
- the color-changing case
- the mouse with rotary dial
- liquid cooled notebooks
- et bloody cetera
The first to find a Slashdot article about an Apple patent that actually was implemented gets my next 5 Mod-points as "Insightful", no matter how stupid their posts. Yes, even if you are one of my foes.
Fandroids hate facts.
It obviously doesn't make it worse if it's optional. It make it better for those that want it, and no different for those that do.
USB sticks have been doing this forever.
Never tried it, but along these lines...
No one's seemed to notice that the inventor here is the legendary Bud Tribble... http://en.wikipedia.org/wiki/Bud_Tribble
Abstract
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for storing a password recovery secret on a peripheral such as a power adapter by receiving a password recovery secret at the power adapter via an interface with the computing device...
Claims:
1. A method of storing a password recovery secret on a power adapter, the method comprising: receiving a password recovery secret associated with a computing device at an electrical power adapter via an interface with the computing device; and storing the password recovery secret on a memory in the electrical power adapter.
2. The method of claim 1, wherein the password recovery secret is based on a password, wherein the password is encrypted using a key comprising a universal unique identifier associated with the computing device.
7. The system of claim 6, further comprising: a fourth module configured to control the processor to verify the received password recovery secret with an authentication server.
12. The non-transitory computer-readable storage medium of claim 11, wherein the peripheral device is at least one of a power adapter, an external hard drive, a network router, a smartphone, a mobile device, a remote control, an external monitor, and a printer.
BACKGROUND ... Although the examples and discussion in the disclosure are directed to a power adapter, other peripherals can be substituted as well, such as a printer, portable hard drive, docking station, wired or wireless network router, backup device, flash drive, a smartphone, a mobile device, a remote control, and an external monitor. Multiple peripherals can operate in conjunction or simultaneously.
[0004] Computing devices, such as desktop computers, laptop computers, smartphones, PDAs, and so forth, include security measures requiring a user to enter credentials, such as a username and password, to obtain access to the computing device. However, it is inevitable that at least one user will forget their username and/or password. One approach to recovering this information is to log in as an administrator to reset the password, but this approach often fails because the user typically forgets the administrator credentials or forgets that the administrator account even exists. Another approach is to prompt the user to enter a password recovery phrase, such as "what is your mother's maiden name?" However, users typically enter this information once during account creation and often forget what they entered as the password recovery phrase. Yet another approach relies on biometrics, but this approach is not useful when the user is not nearby the computer or when the user dies, for example.
[0005] Many users view the above approaches as too inconvenient, especially if they involve a system administrator. The result is that the user chooses not to use a password or uses a trivial password, such as a short password or an easily guessable password. Especially in the case of portable computing devices, this presents a security risk if an opportunistic thief steals the device. Although it can be difficult to provide both convenient password recovery and security in all use scenarios, one increasingly important scenario involves protecting a portable computing device when a user carries the device separately from a commonly associated peripheral device. If this particular use scenario can be protected and password recovery can be provided in a convenient way, then the user is more likely to use a password, and protection will be increased.
[0006] Accordingly, what is needed in the art is an improved way to recover lost or forgotten electronic credentials, while still protecting the computing device in the common case when it is not with its associated peripheral device.
[0028]
Fandroids hate facts.
So basically... You get your laptop stolen, and it's EASIER for someone to get into it without having to break a password or reinstall the OS? Cool. No thanks.
One would think you could code a new power adaptor to an existing piece of hardware. But your totally right about mac laptop adaptors.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
Credit cards can be cheaper than cash in terms of pure numbers, but it's a gamble and to my flawed brain with all it's cognitive mess ups I prefer something I can hold.
1) You're relying on that payment at the end of the month.
- If you bank goes bust you need the BoE to print enough money for the bailout.
- If your company has a cashflow problem (your own company, or a company you work for), you could be screwed pretty quickly. There's a chance that one late payment snowballs into complete bankruptcy
2) It's a debt system. For the period of time you owe the card company you're in the debt system just that little bit more. This changes the way we think about money. This in turn changes us, what we do and more. More than that, it actually changes how we think about each other; this is a bit hard to get one's head around.
In a simple way I was looking at my bank account this month and thought to myself; I only have a credit card bill coming out each month (yes, really, I've worked at this!) I'm always checking up on that. If I didn't have that I wouldn't need to worry for my bank account. For me that's priceless.
A key thing about working in cash is it's haptic feedback; you know what's going on. It keeps you in touch.
I've learnt this about cash because I've been living in Argentina. There, over 10 years after their last crash banks offer 20% discounts at supermarkets and still people prefer cash. Likewise my girlfriend only uses the bank for big discounts like this and her wage only because she pretty much has to. As an example she gets a 40% discount with her gym for automatic payments. And you know what they do? EVERY month they raise the price without telling her.
That's the price of not staying in touch.
The thing is, I always thought I knew what £1000 is, but until I started using cash I didn't realise how out of touch I was. You have to use nothing but cash for at least a month to have any experience to judge. It's a bit like arguing the toss on vegetarianism, how's to know if you haven't properly experienced both eating meat and not eating meat, for example?
Of course it's harder to quantify the advantages of cash vs a credit card's cashback % and section51 rights. But I think there has been some studies, something along the lines of people spend more when they see a number (because it's harder to judge). Like I say though, we always think we can judge better than we really can.
I'd love to have a number in my head along the lines of "I'll only use this credit card if I get a discount of >20%" because the risks have been budgeted for. I think the number in my head is probably less important than that section51 refund rights.
Just look at some of the things people do with Bitcoins for example, you wouldn't agree to work for a month without pay, yet this is what people have been seen gambling with.
A blog I run for the wealth
[B]atteries are starting to be chipped/locked, but so far, I've not seen power sources be locked.
I bet we'll see that soon, though.
Where I live, we have this law, which I don't see why couldn't be expanded soon. I think the US has some goal set with the lock-up business.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
The power adapter preserves passwords for whom?
The mind conceives, the body achieves, the spirit manifests.